bubulgum

@wpsupacc Thanks for your message ??

Yes, I hope he will understand the problem, because in my opinion, this issue makes the use of this plugin dangerous:
As you think your website is protected by this trick (and others, of course), you think you can reduce your vigilance (because you wrongly believe you’ve done everything necessary to securize your website).
However, this is not the case, and your supposedly “hidden” connection url is far too easily accessible.

Hi,?
I just download and install your plugin (which in principle is brilliant!), and I have the same issue.
I think you haven’t understood what @wpsupacc has explained to you… and yes, it’s a real issue that needs to be solved, otherwise your plugin is unfortunately useless ^^ (except if no-one, never, ask to consult his personal data… unlikely to ever happen ??)

So, I’ve followed the steps to reproduce wrote by @wpsupacc.

for a reminder:?
Because of RGPD in UE or any data protect laws all around the world, anyone (let’s say the “user”) can contact a website (let’s say the “webmaster”), and tell that he (user) would like to know which of his personal data you (webmaster) have access to, via the website.
https://www.cnil.fr/en/rights-and-obligations

To satisfy the request of the user, the webmaster has to follow the following process:

• On the wp dashboard, to go to tools -> export personal data and enter the email address of the user who contact you to assert his rights.
• WordPress will the send an email to the user, with a link he has to click, to confirm his request. The link looks like this:?
  https://www.nameofyourwebsite.com/wp-login.php?action=confirmaction&request_id=235708&confirm_key=e1SASfwUv9aP7paQn4Bt
• When the user click the link (to confirm his request), the URL in the browser will change to the hidden URL, and will look like this:?
  https://www.nameofyourwebsite.com/YOURHIDDENURL/?action=confirmaction&request_id=235708&confirm_key=e1SASfwUv9aP7paQn4Bt
  (Do you see the problem now? ??)
• Afterwards, the webmaster receives a notification that the user’s request has been confirmed (as the user click the link… and now knows the secret login url ^^), and he (webmaster) can then, depending on the user’s request, either send him a copy of his personal data, or delete them.
  Official WordPress guide: https://www.ads-software.com/documentation/article/tools-export-personal-data-screen/

This is law. And anyone can ask any website about his “presumed personal data” (for making my test, I’ve entered one of my email address (XXX), that has nothing to do with one of my websites (YYY)… so, no data found… but in the email (on XXX) received from WordPress, there was the confirmation link… which redirect on the hidden url of the YYY website!)

So it’s a very easy way for a hacker to know your login page url… that’s why this is a real issue, and this need to be solved, otherwise… the main (and only!) goal of your plugin is missed… And it’d be a shame, because you did great job! So, you just need to adapt it with those new laws about personal data protection (don’t worry, those laws all say quite the same ??), as I see your plugin was created some years before all those laws, and it will be perfect ?????

If you need further informations, don’t hesitate to ask me ??
Kind regards,
Jess

• This reply was modified 12 months ago by bubulgum.